OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: RE: WORM file system for logging

RE: WORM file system for logging

Andrew J. Luca (andrewlucamediaone.net)
Fri, 7 Aug 1998 07:04:29 -0400

Not to belabor this point, but we built a similar configuration using a
terminal server and an extra host. Each of the secure hosts pushed syslog
traffic out of the /dev/term/b port in addition to logging some of it
locally. The /dev/term/b port was connected to a terminal server which was
in turn connected (via a direct ethernet connection) to a dedicated loghost.
This host ran a process per secure host which would telnet to the terminal
server and collect all of this data.

        We then had a process which would parse the data based upon pre-determined
rules. The data was either discarded (in the case of stuff we knew we
didn't want), written to a rotating file, or written to a file which was
permanently archived. This server also generated pages and e-mails for the
support groups. Last I saw, this had scaled to about fifty hosts in a
single site with about four of these installations.

        I am not sure that this was the cleanest way to do this but you can't
telnet down the serial port and an intruder couldn't just go to the log host
since there was no easy way to know where that host was.

Just my thoughts.
Drew

-----Original Message-----
From: owner-firewall-wizardsnfr.net [mailto:owner-firewall-wizardsnfr.net]
On Behalf Of Paul McNabb
Sent: Thursday, August 06, 1998 1:20 PM
To: firewall-wizardsnfr.net; mjrnfr.net
Subject: Re: WORM file system for logging

Another alternative is to have the syslogd running on a trusted
OS and have it configured so that the daemon can only receive
but never transmit. You could even set it up so that the log
files are accessible in only 2 ways:

(1) from log traffic being passed to the daemon via the network
and/or local processes, or
(2) in a read/write mode from the console when the machine is in
single user mode and networking is disabled.

You could relax the 2nd mechanism as much as you wanted, making
the files readable or writable via certain daemons, hosts, or
network interfaces.

paul

> From: "Marcus J. Ranum" <mjrnfr.net>
> Date: Thu, 06 Aug 1998 10:19:20 -0400
>
> >> Perhaps if you can tell us your requirements, we can
> >> suggest something that'd match more closely.
> >
> >Well, the idea was simply to have a tamper proof syslog (apart from
> >overrunning).
>
> As far as I can tell, the easiest way to do that is to
> have a system that can read from the network and can't talk
> to it, then simply pull the syslog traffic off the wire
> and record it. You could build something like that fairly
> easily with a sniffer or an NFR that had the transmit lead
> on its network cable cut. That's a good way of securing it,
> but it does make it a pain to network manage. :) Hook a
> serial line up and strap it over to another system so you
> can tip/kermit in.
>
> >Anything but the WORM file system that we came up with has time windows
in
> >which the data could be modified after it has been received.
>
> Even the WORM does, really, if you're not willing to trust
> the platform it's running on.
>
> [...]

[...]

---------------------------------------------------------
Paul McNabb Argus Systems Group, Inc.
Vice President and CTO 1809 Woodfield Drive
mcnabbargus-systems.com Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433 "Securing the Future"
---------------------------------------------------------

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:39 CDT